Splunk Enterprise

Why doesn't Report scheduling work properly?

Ultra Champion

I'm bemused with Splunk again (otherwise I wouldn't be posting here ;-)).

But seriously - I have an indexer cluster and two separate searchhead clusters connected with that indexer cluster. One shcluster has ES installed, one doesn't.

Everything seems to be working relatively OK.

I have a "temporary" index into which I ingest some events from which I prepare a lookup by means of a report containing some search ending with | outputlookup.

And that also works OK.


Because it used to work on an "old" shcluster (the one with ES). And it still does.

But due to the fact that we have a new shcluster (the one without ES) and of course lookups are not shared between different shclusters, I defined a report on the new cluster as well.

And here's where the fun starts.

The report is defined and works great when run manually. But I cannot schedule it. I open the "Edit Schedule" dialog, i fill in all the necessary fields, I save the settings... and the dialog closes but nothing happens. If I open the "Edit Schedule" dialog again, the report is still not scheduled.

To make things more interesting, I see entries in conf.log but they do show:

      payload: { -
       children: { -
         action.email.show_password: { +
         dispatch.earliest_time: { +
         dispatch.latest_time: { +
         schedule_window: { -
           value: 15
         search: { +

So there are _some_ schedule-related parameters (and yes - if I verify them in etc/users/admin/search/local/savedsearches.conf they are there)

dispatch.earliest_time = -24h@h
dispatch.latest_time = now
schedule_window = 15

 But there is no dispatch schedule being applied nor is the schedule enabled at all (the enableSched value is not pushed with the confOp apparently).

So I'm stuck. I can of course manually edit the savedsearches.conf for my user but that's not the point.

The version is 8.2.6.

Labels (1)
0 Karma

Ultra Champion

OK. I'm more and more puzzled.

I logged in today and it seems I was able to change the schedule to enabled state and the report did show the schedule but splunk wasn't showing Next Scheduled Time.

So I decided to delete the report altogether and re-create it from scratch. It went relatively well - I created the report, configured the schedule and Next Scheduled Time showed up. Yay!

Then I changed the permissions for the report from Private go Global. And added R/W permissions for admin user and R permissions for one other role. Next Scheduled Time changed to none. w00t?

OK, after some fiddling with permissions it seems that scheduling gets "disabled" if I assign R permission to any role without assigning W permission.

Is there something I don't understand here? I thought R permission in case of reports was for a user to be able to run/see the report and W was so that the user can modify it. Did I misunderstand something (or didn't read the docs thoroughly enough ;-))?


0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...